What is Air-Gapped Signing?

Air-gapped signing means the device that holds your Bitcoin private key has no wired or wireless data connection to any computer at any point in the signing process.

Transaction data travels across a physical gap through QR code, memory card, or NFC tap, and the signing device remains isolated throughout.

What Does "Air-Gapped" Mean?

An air gap is a physical separation between two systems with no cable or wireless link between them. In Bitcoin hardware wallet terms, it means the signing device and the coordinator software on your computer never share a direct connection. Transaction data crosses the boundary through an intentional physical or visual medium, not a live data channel.

The term originates in data center security, where an air-gapped machine is physically isolated by a literal gap of air from any connected system.

Air-Gapping Is About the Workflow

A common misconception is that air-gapped simply means the device is unplugged between uses. Air-gapped signing means the entire signing workflow completes without any direct connection, not that the device connects to coordinate, signs, and then disconnects.

A non-air-gapped hardware wallet is more secure than a software wallet because the private key stays in isolated hardware that is not connected to the internet. Among hardware wallets, those that operate with air-gapped signing are even more secure as they remain completely disconnected even during the signing workflow.

Why Does the USB Connection Matter?

A USB connection is a bidirectional data channel, and that two-way access has been used in attacks against hardware devices, including attempts to push unauthorized firmware updates.

A live connection is also a probing surface. Remote attacks typically rely on repeated interactions and feedback: sending requests, reading responses, identifying how the device reacts to edge cases, and building a map of its behavior. Removing the persistent connection removes the feedback loop these attacks depend on.

Encryption is a way to protect against the monitoring and manipulation of data in transit, but not the data channel itself. A connected device can still be queried, interacted with, and pushed firmware by any software on the host with sufficient access, regardless of what wraps the traffic. The architectural solution is not to protect the channel but to remove it, which is what air-gapped signing does.

How Does Air-Gapped Signing Work?

Air-gapped signing involves wallet software on your computer or phone acting as the coordinator and your hardware wallet holding the private key for signing. The coordinator constructs the transaction, specifying the destination address, amount, and fees, then packages the transaction data into a PSBT (partially signed bitcoin transaction) to be passed to the hardware wallet for signing.

The PSBT is transferred to the signing device for approval and authorization. The device displays the transaction details for your review, signs the PSBT if you approve, and returns the signed transaction to the coordinator. The coordinator then broadcasts it to the bitcoin network. For full technical detail on the PSBT format, see What is a PSBT?.

Three air-gapped transfer methods are in common use:

MicroSD Card Transfer

The coordinator software writes the PSBT file to a MicroSD card, which is then physically removed from the computer and inserted into the signing device. The device reads the PSBT, displays the transaction details for verification, signs the transaction, and writes the signed result back to the card. The card then returns to the coordinator for broadcast.

The physical transfer is fully visible and auditable, so you can inspect what is on the card at each stage. Coldcard Mk5 and Q both support MicroSD signing.

QR Code Transfer

The coordinator software encodes the PSBT as a QR sequence and displays it on screen. For larger PSBTs, a single QR code cannot hold all the data. BBQr (Better Bitcoin QR) is an open protocol developed by Coinkite that compresses the payload and splits it across a sequence of animated frames, each carrying a sequence number so the device can scan them in any order and reassemble the full PSBT.

The signing device's camera scans the full sequence of QR codes, then processes the transaction and displays the details on its own screen for verification. Once approved, the signing device encodes the signed PSBT as a new QR sequence. The coordinator scans it and broadcasts the completed transaction.

Coldcard Q has a built-in camera and supports QR signing directly.

NFC (Single-Tap)

NFC (near-field communication) is a short-range wireless standard that transfers small amounts of data between two devices held within a few centimeters of each other. An NFC tap transfers the PSBT and the signed response through a brief, deliberate tap between the signing device and a compatible reader.

Coldcard's NFC implementation is single-touch, so each exchange is a discrete event with no persistent session between taps. The device is not continuously broadcasting and is not reachable between exchanges.

NFC has lower throughput than QR for large PSBTs. For a standard single-signature transaction, the data volume is well within NFC's range.

Regardless of which method carries the data, the signing workflow works the same. The unsigned PSBT goes in, the device verifies and signs, and the signed PSBT comes out. The air gap changes the transport channel, not the verification requirements.

Is Bluetooth Air-Gapped?

Bluetooth is a short-range wireless radio protocol. It creates a persistent session between two devices and maintains that session while they remain paired and in range. During an active Bluetooth session, the host can initiate communication at any point, not only when you explicitly transfer a transaction.

That persistent session is the same fundamental problem as a USB cable, implemented wirelessly. Software on the host can query the device, probe its responses, and attempt to interact with it throughout the session.

NFC is sometimes compared to Bluetooth, but the two are architecturally different. NFC is bounded by physical contact and each exchange requires a deliberate physical tap, so there is no persistent session or pairing between exchanges and the host cannot initiate communication without you physically presenting the device.

A hardware wallet that signs over Bluetooth is not air-gapped, regardless of the absence of a physical cable.

What Does Air-Gapping Actually Protect Against?

Air-gapping exists to remove direct connections from the attack surface. It does not remove the need to verify what you are signing on the device's own screen, and it does not prevent malicious transaction data from reaching the device through the air-gap channel.

What air-gapping adds:

• No USB firmware attacks. Without a connection, a malicious host cannot push unauthorized firmware to the device.

• No persistent host-device channel. The host cannot probe or interact with the signing device between transfer events.

• Attack surface bounded to discrete transfer events. Data can only pass during a QR scan, card insertion, or NFC tap.

What air-gapping does not protect against:

• Malicious PSBT data. A compromised coordinator can construct a fraudulent transaction and pass it through the air-gap channel as easily as over USB.

• Physical access to the device. An attacker with access to the device and knowledge of the PIN can reach the key regardless of how the device communicates.

• Approving without verifying. If you approve a transaction you did not check on the device screen, the transport method is irrelevant.

Air-gapping does not address nonce integrity. Every Bitcoin signature requires a random number, called a nonce, generated fresh for each signing event. A compromised signing device could produce a nonce that appears random but follows a hidden pattern, allowing an attacker who collects enough signatures over time to work backwards and extract the private key.

Detecting this type of attack requires the anti-klepto protocol, which adds one additional roundtrip between the coordinator and the signing device.

The consistent control across every scenario is verification on the device's own screen. Before approving, check the destination address, the amount, the change address, and the fee. Air-gapping strengthens the connection architecture, but it does not replace this step.